Puppet users - Feb 2010 - Failed to retrieve current state of resource: Error 400 on SERVER: Permission denied

Greetings,

ruby 1.8.7, facter 1.5.7, puppet 0.25.2, and Solaris 10 on sun4u.

From /etc/puppet/fileserver.conf,

[solaris]
path /etc/puppet/manifests/solaris
allow *

From /etc/puppet/manifests/site.pp,

file { "/etc/shadow":
        source => "puppet:///solaris//etc/shadow",
}

And,

ls -l  /etc/puppet/manifests/solaris/etc/shadow
-r--------   1 root     sys          536 Feb  8 17:25
/etc/puppet/manifests/solaris/etc/shadow
I get the following errors unless the source is world readable.

On puppetmaster,

err: Permission denied - /etc/puppet/manifests/solaris/etc/shadow

On puppet client,

err: //solaris/Solaris::Files[/etc/shadow]/File[/etc/shadow]: Failed to
retrieve current state of resource: Error 400 on SERVER: Permission denied -
/etc/puppet/manifests/solaris/etc/shadow Could not retrieve file metadata
for puppet:///solaris//etc/shadow: Error 400 on SERVER: Permission denied -
/etc/puppet/manifests/solaris/etc/shadow at
/etc/puppet/manifests/site.pp:114
Your pointers, please.

Anchi

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Feb 10, 3:21 pm, Anchi Zhang <anchi.zh...@gmail.com> wrote:

[...]
> file { "/etc/shadow":
>         source => "puppet:///solaris//etc/shadow",
> }
[...]
> I get the following errors unless the source is world readable.
>
> On puppetmaster,
>
> err: Permission denied - /etc/puppet/manifests/solaris/etc/shadow
[...]

The puppetmasterd process needs to be able to read file to serve it.
You shouldn''t need to make it world-readable, however, if you change
the file so that the puppetmasterd process''s user owns it.  In other
words, if the puppetmasterd is running as user "puppet" then change
the source file to be owned by puppet.

You could work a similar trick by changing the file''s group and making
it group readable.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wed, Feb 10, 2010 at 5:10 PM, jcbollinger
<John.Bollinger@stjude.org>wrote:
>
> On Feb 10, 3:21 pm, Anchi Zhang <anchi.zh...@gmail.com> wrote:
>
> [...]
>
> > file { "/etc/shadow":
> >         source => "puppet:///solaris//etc/shadow",
> > }
>
> [...]
>
> > I get the following errors unless the source is world readable.
> >
> > On puppetmaster,
> >
> > err: Permission denied - /etc/puppet/manifests/solaris/etc/shadow
>
> [...]
>
> The puppetmasterd process needs to be able to read file to serve it.
> You shouldn''t need to make it world-readable, however, if you
change
> the file so that the puppetmasterd process''s user owns it.  In
other
> words, if the puppetmasterd is running as user "puppet" then
change
> the source file to be owned by puppet.
>
> You could work a similar trick by changing the file''s group and
making
> it group readable.
>
Thank you for the pointers.  My thinking was that if puppetd was allowed to
do "owner => root" puppetmasterd should be able to read files owned
by root,
without realizing puppetd was running as root.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Feb 11, 9:16 am, Anchi Zhang <anchi.zh...@gmail.com>
wrote:
> Thank you for the pointers.  My thinking was that if puppetd was allowed to
> do "owner => root" puppetmasterd should be able to read files
owned by root,
> without realizing puppetd was running as root.
You''re welcome.

Yes, puppetmasterd and puppetd are independent, and each is subject to
the standard security scheme of the host on which it runs.  As you
observed, puppetd requires great privilege to perform some of the
actions in its repertoire.  Not so much puppetmasterd.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.